Back to skill
Skillv1.0.0
ClawScan security
Frontend Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 12:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a coherent front-end developer assistant: its instructions, included example, and requested capabilities match the described purpose and there are no suspicious installs, credentials, or endpoints.
- Guidance
- This skill appears to do what it says: help with front-end development and modify project files. Before using it, decide whether you want the agent to have read/write access to your project workspace and permission to run build/test commands (exec). Avoid providing any secrets or CI/CD credentials unless absolutely necessary. Review any code changes the agent proposes (and the example files) before committing or running them — the example contains a small import bug (useEffect not imported). If you need stricter controls, run the agent in an isolated dev environment or sandbox.
Review Dimensions
- Purpose & Capability
- okName/description (frontend React/Vue/Angular expert) match the SKILL.md content and the included example component. The skill declares developer actions (component authoring, optimization, testing), which align with the capabilities described.
- Instruction Scope
- okRuntime instructions are scoped to development tasks (asking requirements, generating code, giving optimization advice). The SKILL.md explicitly permits use of editor/read/write and exec to run build/test commands — these are expected for a coding assistant. It does not instruct reading unrelated system files or environment secrets. Note: the example component has a minor bug (useEffect used but not imported), which is a code-quality issue, not a security concern.
- Install Mechanism
- okNo install spec (instruction-only) and no downloads or external installers are present, so nothing is written to disk by an installer. Low installation risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Its stated need for file read/write and exec is proportionate to generating and testing code; it does not request unrelated secrets or cloud credentials.
- Persistence & Privilege
- okalways:false and no claims to modify other skills or system-wide settings. The skill does not request persistent elevated privileges.